Determining the Level of Risk to ePHI

The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Performing a security risk analysis is the first step in identifying and implementing these safeguards.  A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This article focuses on the sixth step of the security risk analysis, which consists of determining the level of ePHI risk.

What are the Elements of a Security Risk Analysis?

The security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk to ePHI

Once steps 1 through 5 of the security risk analysis have been completed, step 6 of the security risk analysis, “Determining the Level of Risk to ePHI,” can be addressed.

What Does “The Level of Risk” Mean?

The term “risk,” as used in the phrase “security risk analysis,” can be defined as a function of two things:

  • The likelihood of a given threat triggering or exploiting a specific vulnerability (this value is determined in Step 4 of the security risk analysis); and
  • The resulting impact (this value is determined in step 5 of the security risk analysis).

Generally, the greater the likelihood of a given threat occurring, AND the greater the impact of the threat occurring is, the higher the level of risk to an organization. The higher the degree of a risk is, the more reasonably anticipated that risk is. 

The phrase “reasonably anticipated,” in the context of a security risk analysis, should ring a bell. Recall that the Security Rule requires entities to evaluate risks and vulnerabilities in their environments, and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats to the security or integrity of ePHI. Risk analysis is the first step in that process.

How is the Level of Risk Determined?

The level of risk is determined by analyzing the values assigned to the likelihood of threat occurrence, and the resulting impact of threat occurrence. The level of risk may be determined by assigning a risk level that is based on the average of the assigned likelihood and impact levels.

A risk level matrix can be used to assist in determining and ranking risk levels. The matrix is created using the values for likelihood of threat occurrence and resulting impact of threat occurrence. The matrix may be populated using a “high,” “medium,” and “low” rating system. For example, a threat likelihood value of “high” combined with an impact value of “low” may equal a risk level of “low.” Or a threat likelihood value of “medium” combined with an impact value of “medium” may equal a risk level of “medium.” 

Once risk level is determined, the next step is to label each risk level with a general action description to guide senior management decision making. The action description identifies the general timeline and type of response (i.e., steps to be taken, and what kinds and volume of resources must be used during the process) needed to reasonably and appropriately reduce the risk to acceptable levels

For example, a risk level of “high” could have an action description requiring immediate implementation of high-resource-consuming corrective measures to reduce the risk to a reasonable and appropriate level. On the other hand, a risk level of “low” could have an action description requiring that implementation be complete within several weeks, with minimal resource expenditure needed for corrective measures.

Assigning action descriptions provides the covered entity additional information to prioritize risk management efforts. The highest-level risks should be prioritized first.

Each risk level should contain an associated (and documented) list of mitigating corrective actions to be performed. 

Entities should document the output of each step of the risk level determination process. 

Compliancy Group Simplifies HIPAA Compliance

Covered entities and business associates can address their security risk analysis by working with Compliancy Group to address federal HIPAA security standards. Completing a security risk analysis is required to become HIPAA compliant. 

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business. 

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!

HIPAA Protects You

Protect your business from expensive breaches and fines!